GDPR Subject Access Request Rules Explained

The procedures for requesting a Subject Access Request (SAR) are set to change very little with the introduction of the General Data Protection Regulation (GDPR), in May 2018. But, the process for providing a response is a little different.

It’s important for businesses and organizations to be aware of these changes, as if they do not comply with GDPR they could be on the receiving end of a variety of different sanctions, including hefty fines.

What Should be Included in an SAR Response?

When an SAR request is received by a business or organization, they need to provide a response which gives the individual access to confirmation that their data is being processed, to the data itself and to supplementary data that is being held.

If the request is made by electronic means, the business is expected to provide a response via a commonly used electronic format.

What is the New Response Time for an SAR Request?

Under GDPR rules, once an SAR request is received by a business, it needs to comply with the request within one month. The time limit should be calculated from the day after the request is received (whether or not the day after is a working day) until the corresponding calendar date of the next month.  If the request is complex, this timeline an be extended to up to three months, but an initial response still has to be sent in the first month.

What other Changes are Happening?

One of the biggest changes to SAR procedures, with the introduction of GDPR, is that businesses cannot charge to provide the response, unless requests are excessive, unfounded or repetitive. Even if this is the case, the cost of the response can only take into account the expense that is involved in the administration of the request.

Although it is true to say that, overall, the SAR process is not going to change a great deal when GDPR comes into operation, the significant differences we have identified need to be recognized by all data protection professionals, and business owners.